Financial Services Advisory

Virtual Asset Service Providers (VASP) - CBI Bulletin

insight featured image
The Central Bank of Ireland (‘CBI’) has recently issued its latest Anti-Money Laundering Bulletin, focussing on the Virtual Asset Service Provider (‘VASP’) sector.

In this bulletin, the CBI has provided its observations on a number of significant and widespread deficiencies across authorisation applications received from VASPs where roughly 90% of all applications are not meeting the required standard.

The result of these deficiencies is that the CBI is not satisfied that firms will be able to effectively manage and mitigate the Money Laundering (‘ML’) and Terrorist Financing (‘TF’) risks they face. VASPs brought within the scope of Anti Money Laundering and Countering the Financing of Terrorism (AML / CFT) Supervision following the updating of the Criminal Justice (Money Laundering and Terrorism Financing) Act in April 2021, and as such are required to meet the obligations set out therein. Important to note that VASPs are supervised by the CBI for AML/CFT purposes only - so this bulletin carries even more significance.

Key observations on applications

Incomplete applications

A number of authorisation applications were incomplete as they did not contain the required information and documentation (e.g. submitting a copy of the internal risk register in place of a documented risk assessment or submitting policies with no related procedures). These applications were not progressed to the assessment stage.

Applications which progressed to the assessment stage also displayed a number of recurring issues.

Risk Assessment

Firms should underpin their AML/CFT framework with a ML / TF Business Risk Assessment which documents the specific ML/TF risks posed by their products, customers and activities. 

The CBI found that a number of firms did not appropriately assess ML / TF risks, at both an inherent and residual level, related to their customers and / or business activities. Firms also did not consider risk factors as set out in the Irish national risk assessment or CBI AML/CFT Guidelines for the Financial Sector.

Policies and Procedures

A firm’s AML / CFT framework should include a detailed suite of policies and procedures. These policies and procedures should reflect operational practices and align with all legal and regulatory requirements.

Virtual Asset Service Providers (VASP) - CBI Bulletin text image 1 updated-01.png


Firms should understand the risks posed by their customers, and should collect appropriate documentation to identify and verify the identity of customers, along with any beneficial owners. Firms should understand the customer’s intended purpose for the account or service, and the expected activity. Firms are also required to identify customers that are Politically Exposed Persons (‘PEPs’) as part of the CDD process to ensure they fully understand the risks arising from the customer relationship.

Virtual Asset Service Providers (VASP) - CBI Bulletin text image 2-01.png

Financial Sanctions Screening

The CBI expects that firms implement an effective screening system to identify sanctioned parties. This system should be supported by clear escalation procedures should a firm identify a positive match.

Several applicant firms failed to document how they would conduct customer screening (i.e. what tool or reg-tech solution would be implemented). A number of firms also failed to document the frequency of customer screening, along with how and what steps would be taken in the event of a positive sanctions match.


Whilst firms may outsource certain AML/CFT functions, they remain ultimately responsible for ensuring compliance with their legal obligations. Any outsourced activities should be supported by a documented agreement of obligations on the outsourced service provider, with details of how oversight will be maintained by the firm throughout the course of the agreement.

While a number of applicant VASP firms outsource certain AML / CFT functions, the CBI found that the applications did not include outsourcing policies, procedures, or service level agreements. Firms also failed to demonstrate oversight or assurance testing of outsourced activities.

Presence and Pre-Approval of Controlled Function role holders

It is the CBI’s expectation that a firm has at least one employee in a senior management role located in Ireland to act as point of contact with the CBI. Failure to appropriately meet this requirement may lead to the refusal of an application.

In addition, a number of firms also failed to submit Individual Questionnaires for the proposed Pre-Approval Controlled Function (PCF) role holders in a timely manner.

How can we help?

Grant Thornton understands the challenges faced by VASPs in meeting the CBI and regulatory expectations with respect to AML / CFT. We are well positioned to support firms in addressing these challenges, with a team over 75 + financial crime specialists with deep regulatory and industry experience.